A SAPInsider analysis from May 2025 noted that MCP "borrows many concepts from old protocols like CORBA or SOAP around discoverability and invocation, adapting them to be usable by agents." The framing was generous: a new standard learning from its predecessors. But the observation is better read as evidence that the cycle is structural. The concepts keep returning because the problems they addressed were never resolved. They were deferred to the next generation, which deferred them again.
CORBA shipped in 1991 with genuine ambition: cross-platform, cross-language distributed objects, coordinated through interface definitions and object request brokers. It worked, up to a point. Everything around the edges that mattered for running it in production remained unsolved. The security model offered domain-level access control but couldn't enforce rules at the object or method level. Versioning was, in practitioner parlance, utterly inadequate. Change an interface and you broke the wire contract between every connected component simultaneously, forcing all-at-once replacement across a deployed system. For anyone building commercial infrastructure, these were the reasons you chose something else. And the something else that arrived inherited exactly the problems nobody had solved.
SOAP, published in late 1999, fixed the most visible friction. XML over port 80 meant no more negotiating firewall ports per service. But look at what WS-Security actually said about itself: key management, trust bootstrapping, federation, and cipher agreement were all declared "outside the scope." There it is. The governance question, stated plainly and deferred in the same sentence. Many teams fell back to TLS alone and skipped message signing entirely. The gap didn't close. It moved.
REST solved SOAP's complexity by abandoning mandatory contracts altogether. No WSDL, no XML schema negotiation. API versioning became an industry-wide unsolved problem, with URL paths, headers, and query parameters all in simultaneous use. OpenAPI arrived later as voluntary documentation, not enforcement. The coordination burden that CORBA had made explicit and SOAP had made brittle, REST made invisible. Invisible burdens don't generate pressure to fix them.
There's probably something structural here about how standards propagate. They need to be easy to adopt before they become load-bearing. Governance makes them hard to adopt. So governance can never arrive on time.
MCP fits the pattern closely. Its original specification shipped without authentication. OAuth 2.1 support was added months later, after enterprises had already begun deploying. Authentication remains optional. Researchers at Knostic found over 1,800 MCP servers on the public internet with no authentication enabled. By November 2025, MCP's own leadership acknowledged hearing "loud and clear from the industry" that governance and registry management were missing. The gap was visible. The protocol was already load-bearing.
In 2006, an ACM Queue post-mortem on CORBA observed:
"CORBA's history is one that the computing industry has seen many times, and it seems likely that current middleware efforts, specifically Web services, will reenact a similar history."
They were writing about SOAP. Twenty years later, the observation reads as structural description. Each generation believes it has transcended the cycle. The cycle, it turns out, is that belief.